Trusted Platform Module " TPM " Security Defeated in 30 Minutes

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,438
Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine. An analysis of the BIOS settings, boot operation, and hardware quickly revealed that the security measures in place were going to preclude the usual hacks, including:
  • pcileech/DMA attacks because Intel’s VT-d BIOS protection was enabled
  • Authentication bypasses using tools such as Kon-boot
  • Use of tools such as LAN turtle, Responder to exfiltrate data from USB ethernet adapters
With little else to go on, the researchers focused on the trusted platform module, or TPM, a heavily fortified chip installed on the motherboard that communicates directly with other hardware installed on the machine. The researchers noticed that, as is the default for disk encryption using Microsoft’s BitLocker, the laptop booted directly to the Windows screen, with no prompt for entering a PIN or password. That meant that the TPM was where the sole cryptographic secret for unlocking the drive was stored.

Microsoft recommends overriding the default and using a PIN or password only for threat models that anticipate an attacker with enough skill and time alone with an unattended target machine to open the case and solder motherboard devices. After completing their analysis, the researchers said that the Microsoft advice is inadequate because it opens devices to attacks that can be performed by abusive spouses, malicious insiders, or other people who have fleeting private access. “A pre-equipped attacker can perform this entire attack chain in less than 30 minutes with no soldering, simple and relatively cheap hardware, and publicly available tools,” the Dolos Group researchers wrote in a post, “a process that places it squarely into Evil-Maid territory.”
The writeup shows how security is an iterative process that involves defenders putting new measures in place, attackers learning how to knock them down, and defenders revising those defenses or adding new ones. Defenses like full-disk encryption with BitLocker, locked BIOSes, UEFI SecureBoot, and TPMs can only go so far before someone finds ways to defeat them, at least given certain types of common configurations. Now, it’s on defenders to figure out where to go from here.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
I had in mind this article in my post in the thread about TPM:
https://malwaretips.com/threads/how-windows-10-uses-the-trusted-platform-module.108948/post-953283

The most important part is as follows:

One has to use "Allow enhanced PINs for startup" policy and sophisticated enhanced PIN to make the brute-force attacks unprofitable. Using TPM with startup key and PIN, can increase the protection (The startup key can be stored on a removable device, for instance, a USB-stick).

https://docs.microsoft.com/en-us/wi...cker-countermeasures#attacker-countermeasures
 

Local Host

Level 24
Verified
Sep 26, 2017
1,322
There is no security to discuss when we talking local attacks with physical access to the machines, this is nitpicking to put TPM in a bad light, and is honestly ridiculous at best.

Is enough to fool less tech savvy users that won't ever bother to read beyond the title, I expect this to be used to counter Windows 11 requirements and long discussions, same way when the media made false accusations about the Windows 10 privacy concerns (which is still used as an excuse to not use Windows 10 by less intelligent humans).
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,117
Yes. Most of the articles that are posted on MT are related to organizations.
The whole discussion about TPM security (pros and cons) is not especially important for Home users (so far). No one here will use sophisticated enhanced PIN and startup key to protect the Home desktop machine. Furthermore, about 1/3 of users (or more) do not have machines with TPM.
Anyway, MT is a security forum so discussing such articles is normal.
 
Last edited:

SpiderWeb

Level 6
Aug 21, 2020
253
Windows is like swiss cheese of security. Even if you have a TPM and all security mechanisms in place, privilege escalation is too easy to achieve because at the core, the kernel is from 1994.
 
  • Like
Reactions: Nevi and venustus
Top